Yesterday the DHS ICS-CERT published an alert for a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors reported by Billy Rios and Terry McCorkle of Cylance. No link is provided for the specific report that instigated this alert. This vulnerability is hardly news since there have been news reports about the Rios and McCorkle work in this area since at least January.
This may have more to do with today’s publication in the Federal Register (78 FR 35940) of a notice of availability of FDA draft guidance on “recommendations to consider and document in FDA medical device premarket submissions to provide effective cybersecurity management and to reduce the risk that device functionality is intentionally or unintentionally compromised”.
According to this FDA notice: “The draft guidance, when finalized, will represent the Agency's current thinking on management of cybersecurity in medical devices.”
A copy of the draft guidance is available from the FDA web site. After a quick scan of the document I find it disturbing that it concentrates on the information security aspects of the problem rather than on the control system issues. While I certainly wouldn’t want anyone to have access to medical information about or from a device implanted in my body, I would be much more concerned about the ability of some unauthorized person (or even an authorized person in some cases) to change device settings without my consent or informed approval.
The FDA is soliciting public comment on this draft-guidance. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FDA-2013-D-0616). It appears that the FDA will be working expeditiously (SARCASM Alert) on this issue; they are requesting comments be filed by September 12, 2013.